RealTime IT News

Some Wicked Script This Way Comes

Microsoft is in deep this week with a vulnerability in the software giant's Internet Information Server (IIS) 4.0 and 5.0 Web server software, which runs on over four million Web sites.

The flaw allows users to execute files on Web sites by requesting a specific Web address. Microsoft released a bulletin about the problem Tuesday, urging customers to patch its systems.

Essentially, the dangerous code allows a user with a special URL to access any files on a Web server. IIS is supposed to prevent requests for any file that's not meant to be displayed on a Web page.

But if a savvy user includes special characters in the URL, an attacker is able to bypass the filter meant to prevent such requests. Ultimately, the intruder can view any file that's sitting on the hard drive that delivers Web pages.

While there have been no reports of the hole being plundered and exploited, it's possible Web sites have been attacked using it for some time.

And, no one is quite sure how long this breach has been in the wild even after the problem was first brought to Microsoft's attention on Oct. 10 on the security forum Packetstorm, although Beijing's Network Security Focus says it has known about the problem for a while.

When asked about the use of a modified URL to access the server, Russ Cooper, editor of the NT BugTraq security discussion list, said he wouldn't be surprised that such bypass scripts are passed around.

"The scripts I'm sure have already been written and I'm sure that there are tools that get passed around that probably already include methods of exploiting or at least tests to see whether you can exploit this on a Web server so, yes, I would say those tools exist," said Cooper.

"I wouldn't say that they are being usely widely at this point. I think this will become one of the standard ways that scripts will try to see whether or not they can get in."

Cooper was somewhat diplomatic, but this is not a case of much ado about nothing because URL's have been tinkered with before to gain access to businesses. Last week, buy.com was the victim of curious users who used the coding of a URL to gain access to peoples' personal information.

Pete Privateer, president of Pelican Security, said the situation for Microsoft was the "same old thing" that has been happening for years.

"Of course Microsoft is a high-profile target -- it is ubiquitous," Privateer said. "Hackers will attack whoever has the greatest market share and penetration. I saw it a few years ago when people found a lot of bugs in UNIX servers. No server has iron-clad security and people should not overlook the ingenuity of man."

Privateer also said that while much is made about security flaws in servers and software, the desktop breaches often prove to be the most damaging.

"Don't overlook what can happen on the client-side," Privateer said. "Flaws are just as strong on the desktop as they are on servers and software. The 'Love' virus cost people between $10 and $15 billion in damage -- all on the client-side."

Additional reporting for this story was contributed by Brian McWilliams, host of InternetNews Radio.